If you browse to a major website on the internet, chances are you’ll see something next to the URL—a tiny lock icon, next to the prefix “HTTPS.” This indicates that you’re currently using a secure version of the Hypertext Transfer Protocol. It means that the connection between your web browser and the application you are viewing is encrypted via TLS (Transport Layer Security). In effect, it is very difficult for a potential attacker to eavesdrop on what users are doing on a site that’s protected by the HTTPS protocol.

HTTPS Has Never Been Unbreakable

Difficult as it may be, however, the HTTPS protocol is not unbreakable. Hackers commonly employ what’s known as a man-in-the-middle attack” (MITM). In this instance, attackers may use a phishing email to direct users to a fake website. The website might look exactly like a real banking or ecommerce site, thus tricking users into inputting their personal information, such as address info and credit cards. A version of this attack was used to scam eBay users back in 2014.

Similarly, a website might end up using an outdated version of TLS or SSL to encrypt its communications. These outdated variants are subject to several bugs that might allow attackers to decrypt communications. The most famous example of this was the Heartbleed bug. This bug allowed attackers to exploit outdated versions of SSL to output a site’s password, user database, certificate codes, and more.

Now, there’s a new bug to worry about.

An Outdated Protocol Leaves Users Vulnerable

Security researchers have now discovered a way to bypass HTTPS encryption entirely. The exploit, which was demoed at BlackHat this summer, relies on a browser element called Web Proxy Autodiscovery (WPAD). WPAD is actually obsolete—like many elements of major exploits—but it’s still supported by all major browsers. Essentially, WPAD would tell browsers to download a file at a certain URL, and then execute it in order to find the proxy for a web browser.

Bad actors can get around HTTPS by using this obsolete protocol as an attack vector. When a computer connects to a new network, it sometimes has to request a proxy autoconfig file (PAC) using WPAD. If that file is malicious, it can deliver attackers the plaintext version of a user’s destination URL, before the HTTPS connection is initiated. The most vulnerable users are ones who often connect to networks outside their home and office—at airports, cars, coffee shops, and so on.

Protecting Users from Unholy PAC

This vulnerability, deemed Unholy PAC, may find itself resistant to easy fixes. WPAD functionality has been embedded in web browsers since the late 90s, so simply removing it might cause a cascade of additional problems. While there are a number of potential patches and workarounds that might also work, none have yet been released, leaving users out in the cold.

At Coronet, we’ve long recognized the vulnerability of users who find connectivity outside their home networks. This new PAC bug appears to make these remote workers even more defenseless. Fortunately, Coronet users will find themselves well-defended. Our machine-learning software can quickly adapt to recognize when a user’s connection is being threatened. In response, it can help make the targeted endpoint nearly invisible to attackers.